Purpose

It is Circassia’s policy to respect and protect Personal Information collected or maintained by or on behalf of Circassia—therefore, Circassia adheres to the EU-U.S. Privacy Shield Principles. In furtherance of this commitment, Circassia has certified to the EU-U.S. Privacy Shield Framework (“Privacy Shield”), as set forth by the U.S. Department of Commerce and the Federal Trade Commission (“FTC”), regarding the collection, use and retention of Personal Information from Citizens in support of Circassia’s human resources, commercial, supplier, and clinical operations (collectively, Circassia’s “Operations”). To learn more about Privacy Shield, and to view Circassia’s certification, please visit https://www.privacyshield.gov.

Scope

This Statement describes the principles pursuant to which Circassia manages Personal Information received: (i) from Employees, in support of Circassia’s human resources operations; (ii) in the course of Circassia’s operations involving current, prospective and former clients, customers, visitors and guests (collectively “Clients”); (iii) in the course of its related interactions with current, prospective and former suppliers, distributors, subcontractors and strategic partners (collectively, “Suppliers”); and (iv) physicians/investigators, health care professionals, and trial subjects (collectively, “Clinical Parties”). The categories of Personal Information covered by this Statement include Personal Information relating to Employees, Clients, Suppliers, and Clinical Parties. In connection with Circassia’s Operations, Circassia may now and/or in the future: (a) transfer Personal Information of Employees, Clients, Suppliers, and/or Clinical Parties outside of the EEA to the United States; and/or (b) access Personal Information regarding Employees, Clients, Suppliers, and/or Clinical Parties from the United States.

Definitions

The following capitalized terms are used throughout this document and are defined as follows:

“Agent” or collectively, “Agents” means any third party that processes Personal Information pursuant to the instructions of, and solely for, Circassia or to which Circassia discloses Personal Information for use on its behalf.

“Circassia” or the “Company” collectively refers to Circassia Pharmaceuticals Inc. and any and all subsidiaries and affiliates thereof that are incorporated in any state or territory of the United States.

“Citizen” or collectively, “Citizens” means a lawful citizen or citizens of any EEA country and includes Employees, Clients, Suppliers, and Clinical Parties.

“Employee” or collectively, “Employees,” means any Circassia Citizen-employee(s) (and any and all dependents thereof), including, but not limited to, temporary, permanent, and former employees, directors, contractors, workers and retirees. For purposes of this Statement only, the term “Employee” or “Employees” shall also include any of Circassia’s independent contractors and job applicants that are Citizens.

“Personal Information” means any information or set of information about an identified or identifiable Citizen, including, but not limited to: (a) first name or initial and last name; (b) home or other physical address; (c) telephone number; (d) email address or online identifier associated with the Citizen; (e) Social Security number or other similar identifier; (f) employment, financial or health information; or (g) any other information relating to a Citizen that is combined with any of the above. The term “Personal Information” does not include anonymized information or information that is reported in the aggregate (provided that such aggregated information is not identifiable to a natural person).

“Privacy Shield Principles” collectively means the following seven (7) privacy principles as described in the Privacy Shield: (1) Notice, (2) Choice, (3) Accountability for Onward Transfer, (4) Security, (5) Data Integrity and Purpose Limitation, (6) Access, and (7) Recourse, Enforcement and Liability, as well as the supplemental privacy principles and the associated guidance set forth in those certain “Frequently Asked Questions” as agreed to by the U.S. Department of Commerce and the European Commission.

“Process” or “Processing” of Personal Information means any operation or set of operations which is performed upon Personal Information, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.

Capitalized terms not defined above have the definitions set forth in the respective paragraphs of this Statement.

Privacy Shield Principles

1. Notice: In the event that Circassia collects Personal Information from a Citizen, Circassia will furnish a notice to the Citizen that describes: (i) the types of Personal Information that it collects about such Citizens; (ii) the purposes for which it collects such information; (iii) the types of third parties to which it discloses such information, and the purposes for which it does so; and (iv) how to contact Circassia with any inquiries or complaints, including any relevant establishment in the EEA that can respond to such inquiries or complaints. Notice will be provided in clear and conspicuous language at the time of collection, or as soon as reasonably practicable thereafter. In any event, notice will be provided before Circassia discloses the Personal Information or uses such information for a purpose other than that for which the Personal Information was originally collected or processed.

2. Choice: In the event that Personal Information is to be used for a new purpose that is materially different from the purpose(s) for which the Personal Information was originally collected or subsequently authorized, or transferred to a non-Agent third party, Citizens will be provided, where practical and appropriate, with an opportunity to decline to have their Personal Information so used or transferred. In the event that the Personal Information used for a purpose other than that for which it was originally collected or subsequently authorized or transferred to the control of a non-Agent third party is Sensitive Personal Information, the Citizen’s affirmative express consent will be obtained prior to the use or transfer of the Sensitive Personal Information or as otherwise permitted in accordance with the Privacy Shield Principles.

3. Accountability for Onward Transfer: Circassia will endeavor to only transfer Personal Information to an Agent where such Agent has given assurances that it provides at least the same level of privacy protection as is required by the Privacy Shield Principles and this Statement and will notify Circassia if it makes a determination it can no longer meet this obligation. Where Circassia has knowledge that an Agent is using or sharing Personal Information in a way that is contrary to the Privacy Shield Principles and/or this Statement, Circassia will take reasonable steps to prevent or stop such Processing. With respect to onward transfers to Agents, Privacy Shield requires that, to the extent it is responsible for the event, Circassia shall remain liable should its Agents Process Personal Information in a manner inconsistent with the Privacy Shield Principles.

5. Data Integrity and Purpose Limitation: Circassia endeavors to limit the collection, usage, and retention of Personal Information to that which is relevant for the intended purposes of Processing, and takes reasonable steps designed to ensure that all Personal Information is reliable for its intended use, accurate, complete and current. Circassia depends on its Employees to keep Personal Information reliable, accurate, complete and current.

6. Access: Citizens may seek confirmation regarding whether Circassia is Processing Personal Information about them, request access to their Personal Information and ask that the Company correct, amend or delete that information, where it is inaccurate or has been processed in violation of the Privacy Shield Principles. Although Circassia makes good faith efforts to provide Citizens with access to their Personal Information, Circassia reserves the right to limit or deny such access where the burden or expense of providing access would be disproportionate to the risks to the Citizen’s privacy, where the rights of Citizens other than the subject Citizen would be violated, where the information is commercially proprietary or where doing so is otherwise consistent with the Privacy Shield Principles. If Circassia determines that access should be restricted in any particular instance, we will provide you with an explanation of why that determination has been made and a contact point for any further inquiries.

7. Recourse, Enforcement and Liability: Circassia has implemented mechanisms to verify its ongoing compliance with the Privacy Shield Principles and this Statement. Any party that violates the Privacy Principles and/or this Statement will be subject to disciplinary procedures in accordance with Circassia’s disciplinary procedures."In compliance with the Privacy Shield Principles, Circassia commits to resolve complaints about our collection or use of your personal information. EU individuals with inquiries or complaints regarding our Private Shield policy should first contact Circassia at: privacy@circassia.com

In the event of a dispute, Citizens are able to seek resolution of their questions or complaints regarding use and disclosure of their Personal Information in accordance with the Privacy Shield Principles contained in this Statement. If you feel that Circassia is not abiding by the terms of this Statement, or is not in compliance with the Privacy Shield Principles, please contact Circassia at the contact information provided below. In addition, Circassia has agreed to cooperate with JAMS Privacy Shield Dispute Resolution Program with respect to complaints related data of Clients, Suppliers, and Clinical Parties and with the local data protection authorities with respect to Employee and human resources data. For more information and to submit a complaint to JAMS, visit https://www.jamsadr.com/eu-us-privacy-shield. Such independent dispute resolution mechanisms are available to Citizens free of charge. If any request remains unresolved, Citizens may have a right to invoke binding arbitration under Privacy Shield. The FTC has jurisdiction over Circassia’s compliance with the Privacy Shield.

Affirmative Commitment

Circassia complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. Circassia has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov.

Limitation on Scope of Privacy Shield Principles

Adherence to these Privacy Shield Principles may be limited (i) to the extent required or allowed by applicable law, rule or regulation; (ii) to the extent necessary to respond to lawful requests by public authorities, including to meet national security, law enforcement, legal or governmental requirements; and/or (iii) to protect the health or safety of a Citizen.

Complaints and Contact Information

If you have questions regarding this Statement or any of Circassia’s privacy practices, please contact us by mail or e-mail at the following addresses:

Changes to this Statement

This Statement may be amended from time to time in a manner that is consistent with the requirements of the Privacy Principles. When this Statement is updated, the “Last Updated” date at the bottom of this document shall be amended accordingly. Any material changes to this Statement will be posted on Circassia’s website and available to the general public at www.circassia.com/privacy.

THIS STATEMENT HAS BEEN INITIALLY ADOPTED BY CIRCASSIA AS OF THE 30TH DAY OF SEPTEMBER, 2016.

Last Updated: August 1, 2018

Circassia Pharmaceuticals plc may use your personal information to contact you by email, telephone or post to respond to your query.

Your personal information will be managed by Circassia Pharmaceutical Plc, and / or its Group companies, with its company address at Northbrook House, Robert Robinson Avenue, The Oxford Science Park, Oxford, OX4 4GA, United Kingdom and may be stored outside your country of residence (including in the U.K., Europe and USA). Circassia may share your personal information with third parties who support Circassia in providing products and services to you on Circassia’s behalf. To learn more see our Privacy Policy.

By clicking Yes you will be taken to a third-party website or websites to which Circassia's Privacy Policy and other rules do not apply. Circassia is not responsible for the privacy policy of any third-party websites. You are solely responsible for interactions with such third-party website(s).